Auth and page reload
Added by Ezra Buehler over 11 years ago
Hi,
I'm using the Auth module in my application and noticed that whenever I reload the page a new session is created and I have to log in again. In my config I have set reload-is-new-session to false. Reload only works when I am logged out and the Login form is visible, then WApplication::refresh() is actually called. I have tried this in various browser, with the same result. I could see the same behavior in the Hangman example and thus ask my self if this behavior is intended. How can I support refresh and preserve the session in my case?
Thanx in advance,
Ezra.
Replies (9)
RE: Auth and page reload - Added by Koen Deforche over 11 years ago
Hey Ezra,
The best solution is to use Wt::Auth::AuthService::setAuthTokensEnabled to allow the user to preserve his 'login' across sessions.
Then leave the session reload configuration to its default so that a reload will start a new session but the user does not need to login again.
This is the only (practical) solution that supports use cases where the user wants to open the same application in multiple windows/tabs, which each need their individual session. Preserving a session on reload would either require a cookie (which cannot discriminate multiple tabs/windows) or the session ID in the URL which is highly not recommended for security reasons (and ugliness).
Regards,
koen
RE: Auth and page reload - Added by Ezra Buehler over 11 years ago
Hi,
thank you for the quick reply. Unfortunately I am not that happy with using Auth tokens (or any cookies) because WebKit browsers will not accept cookies for IPs, and that is all I have. I understand the (big) security issue when one would authorize the user solely based on the session ID in the URL. But in my case security is not that big of an issue so I could live with such a solution. I guess for now I have to live without refresh and will enable Auth tokens in the future.
Cheers,
Ezra.
RE: Auth and page reload - Added by Koen Deforche over 11 years ago
Hey,
Then setting reload-is-new-session to false should work: it simply should 'redraw' the page, without any functional changes. What do you see going wrong in case you were logged in?
koen
RE: Auth and page reload - Added by Ezra Buehler over 11 years ago
I see that WApplication::refresh() is not called and a new session is created.
In my wt_config.xml I have following:
URL
false
false
Like I said reload-is-new-session=false seems to work for the case that I am not logged in.
RE: Auth and page reload - Added by Koen Deforche over 11 years ago
Hey Ezra,
Aaah I think I know what goes wrong --- logging in has as side effect changing the session ID, but this does not update the session ID in the URL...
Can you file a bug for this?
Regards,
koen
RE: Auth and page reload - Added by Ezra Buehler over 11 years ago
RE: Auth and page reload - Added by Cynthia Donato about 11 years ago
Hello,
I'm am also using the Auth module in my application and noticed that whenever I reload the page a new session is created and I have to log in again.
I have the Wt::Auth::AuthService::setAuthTokensEnabled set in my session but that does not seem to resolve my issue. This is with Wt version 3.2.3.
My Wt_config.xml has the following:
URL
true
false
Because my application is built as a series of tabs I believe it would be possible for me to set reload-is-new-session=false and then implement a content refresh of each tab as they are accessed but I was hoping there would be a better way to resolve my issue without having to do this.
If anyone has an idea why my application redirects me to the login page when i refresh the browser even though Wt::Auth::AuthService::setAuthTokensEnabled is set to true, this would be a big help.
Thanks in Advance,
Cyn
RE: Auth and page reload - Added by Koen Deforche about 11 years ago
Hey,
At least if the user checks 'remember-me' then indeed you should be able to login automatically in the new session after refresh.
This login is actually done by using processEnvironment() which will generate a login event if a proper cookie has been found. Perhaps you do not call that?
You can also check in the developer tools of the browser that indeed a cookie is being set, and the cookie is being sent back by the browser on subsequent requests.
Regards,
koen
RE: Auth and page reload - Added by Cynthia Donato about 11 years ago
Hi Koen,
Thank you for the quick response.
When I check the 'remember-me' I do indeed login automatically after I hit refresh, this is working correctly.
What I would like is that even if I have not checked 'remember me', if my current session has not timed-out I wish for it to keep me logged in automatically.
Is it intentional that I am logged out when 'remember-me' is not checked and I refresh the browser?
Through the developer tools I can see that the cookie I set using 'myAuthService.setAuthTokensEnabled(true, "logincookie")' does exist.
And I also see that it's value is changed when I refresh from the browser.
I do in fact have a "authWidget->processEnvironment();" call in the create() of my WQApplication.
Should it also be called somewhere else?
Thanks in advance,
Cyn